From 45875a4d7bbd6bb8a943572d84fef5ca2bb18291 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 8 Apr 2009 16:39:33 +0000 Subject: [PATCH] Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG, which requests delegation only if the ok-as-delegate ticket flag is set. ticket: 6203 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22185 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/generic/gssapi.hin | 1 + src/lib/gssapi/krb5/init_sec_context.c | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin index d33a0b505..422b4dbef 100644 --- a/src/lib/gssapi/generic/gssapi.hin +++ b/src/lib/gssapi/generic/gssapi.hin @@ -141,6 +141,7 @@ typedef int gss_cred_usage_t; #define GSS_C_ANON_FLAG 64 #define GSS_C_PROT_READY_FLAG 128 #define GSS_C_TRANS_FLAG 256 +#define GSS_C_DELEG_POLICY_FLAG 32768 /* * Credential usage options diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 631cbe080..5559fadbc 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -209,7 +209,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, if (code) { /* don't fail here; just don't accept/do the delegation request */ - data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG); data->checksum_data.length = 24; } else { @@ -495,6 +496,14 @@ new_connection( ctx->krb_times = k_cred->times; + /* + * GSS_C_DELEG_POLICY_FLAG means to delegate only if the + * ok-as-delegate ticket flag is set. + */ + if ((req_flags & GSS_C_DELEG_POLICY_FLAG) + && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG; + if (default_mech) { mech_type = (gss_OID) gss_mech_krb5; } -- 2.26.2